Releases: invictus-ir/Microsoft-Extractor-Suite
Update V2.1.1 - Updates & Improvements
Improvements
- Accepted pull request from @angry-bender updating the date format in
Get-UALGraph
for improved readability and consistency. - Corrected a typo in the $filePath variable when using the
-Download
flag inGet-MessageIDs
. - Implemented suggestions from @Calvindd2f to add additional parameters for connection scripts. Users can now connect using an access token.
- Reworked the
$areYouConnected
functionality for the UAL scripts. - Introduced the
-All
parameter toGet-ADAuditLogsGraph
. By default, filtering with the UserIds field retrieves only actions directly performed by the specified user. With the new-All
flag, the command now includes all related events involving the user, such as events where an MFA device was added for them. - Fixed an issue where the merge output would throw "out of memory" errors. Now, while merging the output files, each file is written directly to the merged output file instead of reading everything into memory first and then saving it.
As suggested by @evild3ad:
- Updated the import command:
Import-Module .\Microsoft-Extractor-Suite.psm1 -ArgumentList $true
to suppress the logo output, optimizing it for automation scenarios. - Replaced remaining
Write-Host
commands inGet-Rules.ps1
with the customWrite-LogFile
function for consistent logging. - Fixed an issue in
Get-MailboxRules
where using the-UserIDs
flag with no rules found would incorrectly display the total inbox rules. - Added support for the
-UserIds
flag to Risky Users and Detections. - Added support for the
-UserIds
flag to the Get-MFA functionality.
Update V2.1.0 - Updates & Improvements
Get-MessageIDs:
- Added try/catch to handle errors when attempting to download emails that have already been deleted from the mailbox.
Get-UAL Scripts:
- Fixed JSON output format to ensure correct and consistent JSON formatting.
AzureADGraphLogs:
- Merged pull request from @Matthijsy, adding additional details to the acquisition output for audit and sign-in logs.
Graph Sign-in Endpoint Update:
- Changed to using the beta endpoint for sign-in logs, increasing the number of fields per event from 107 to 299, providing more useful data for analysis.
New Features & Enhancements:
- Added
-mergeoutput
flag toGet-UALSpecificActivity
, as suggested by @SecurityAura. - Added a warning when using the
-Download
flag inGet-MessageIDs
without an active Graph connection, also as suggested by @SecurityAura.
Update V2.0.3 - Again some improvements & Bug fixes
General changes:
- Fixed incorrect scope for
Get-Emails
in both the script and documentation. - Added mergeoutput flag for the Audit Logs Graph acquisition method.
- Fixed mergeoutput to generate correct JSON format for Microsoft-Analyzer-Suite.
- Added try/catch in the Activity Logs and Directory Activity Logs authentication flows to catch errors when the user is not connected.
- Removed filter from
Get-AzureDirectoryActivityLogs
to ensure all events are collected. - Fixed a small logic error in
Get-AdminUsers
, preventing errors when removed user IDs are identified in a group. - Added
-ObjectId
parameter toGet-UALGraph
- Added
-ObjectId
parameter to all Unified Audit Log acquisition scripts
Small fixes for Get-MailItemsAccessed
:
- Made
-Download
a switch parameter. - Fixed an issue where the InternetMessageId was not being retrieved correctly from the output.
- Added a try/catch block to handle potential errors as they occur.
Update V2.0.2 - Improvements & Bug fixes
Based on suggestions by Angry-Bender:
- Increased sleep timer by 5 seconds for the AD sign-in/audit logs.
- Replaced break statements inside loops with throw statements in all scripts.
- Fixed dates to be in a readable format again for the sign-in and audit logs. (Thanks to Calvindd2f for showing how to achieve this)
- Get-GraphAuthType now checks if the required scopes are used and, if not, will attempt to set up a connection with them. This should prevent you to close the browser if already greanted consent each time.
Fixed an issue reported by ReDoneX0 where the get-email was not saving in the correct EML format.
Had to fix a small error and can't update/remove the PowerShell Gallery listing, so I guess I'll just make it version 2.0.2.😓
Update V2.0 - Added acquisition for Azure Directory Activity logs and a variety of other improvements.
Acquisition for new log source added:
- Added Azure Directory Activity logs.
Output Structure Improvements:
Restructured the output to write results to specific folders instead of multiple outputs in Userinfo. For instance, the MFA functionality now generates a new folder named MFA for its output.
Performance improvements inspired by Calvindd2f:
- Replaced | Out-Null with > $null across multiple instances in the script for improved performance.
- Redesigned the log-writing mechanism for increased speed.
- Set default parameters in CmdletBindings across all scripts.
- Created a function for combining logs outside of the function utilizing this.
Authentication Type Detection:
- Implemented functionality to automatically detect whether the user is logged in via Graph with delegated or application permissions. This prevents unnecessary errors by ensuring that the script connects with the appropriate scopes based on the authentication type.
- Removed the need for the Application parameter. The script now automatically determines the authentication type in the background.
Optimized Graph API Requests:
Updated certain functionalities to use Invoke-MgGraphRequest instead of the Graph PowerShell Module cmdlets for improved performance and reliability.
- The Get-MFA script now utilizes Invoke-MgGraphRequest to ensure all output is captured, including nested objects that were previously missed.
- Get-Email, Get-Attachment, Show-Email are now using Invoke-MgGraphRequests for better performence and reliability.
- Get-UALGraph has been reworked and is now using Invoke-MgGraphrequest for better performence.
- Get-RiskyUsers & Get-RiskyDetections are both using Invoke-MgGraphrequest now.
Get-ADSignInLogsGraph and Get-ADAuditLogsGraph:
Inspired by code snippets from Calvindd2f, both functionalities have been reworked to use Invoke-MgGraphRequest. This change simplifies paging, eliminates the need for guessing the correct intervals, and allows for more efficient log retrieval. As a result, the script is now easier to use, faster, and should mitigate memory issues.
Get-ActivityLogs
This functionality now uses Invoke-RestMethod instead of the AzureAZ PowerShell Module cmdlets for improved performance and reliability. This change simplifies paging, eliminates the need to guess correct intervals, and enables more efficient log retrieval.
Read The Docs:
Updated Read The Docs so it's up to date with the latest changes.
areYouConnected:
The $areYouConnected function, which checks if the script can run the necessary actions and provides an error if it cannot, has been improved. It now displays the actual error message when the script fails, rather than a custom error message. Additionally, it no longer checks the module before running the main code (for most functions), making the script faster by avoiding unnecessary module checks.
Update V1.3.5 - Improvements to Get-AzureADLogs + Get AzureADGraphLogs
Get-AzureADLogs and Get-AzureADGraphLogs:
- Changed the output directory names for the Audit and Sign-in logs to make it clearer which folders contain what logs.
- Accepted pull request by angry-bender, which added the split by time feature to Get-AzureADAuditLogs with a 12-hour interval (larger dataset than SignInLogs).
- Both Graph and AD collections for the audit logs and sign-in logs now support date and time instead of only date.
- Added error handling to the Graph and AD functionalities to retry if they fail, ensuring all data is collected.
Get-Email
- The functionality Get-Email now supports an input text file containing multiple message IDs, and the functionality will download all messages.
Update V1.3.4 - Bug fixes
- Fixed a bug reported by Camel0101 where the number of log entries is not displayed in the Get-UALStatistics command.
- Fixed a bug reported by SecurityAura where LogFile.txt gives errors when the default Output directory is not present.
- Fixed an issue where the MergeOutput flag is not working correctly for Get-UALGroup and Get-UALSpecific.
- As requested by evild3ad, the LastUpdatedDateTime has been added to the Get-MFA command.
Update V1.3.3 - Some bug fixes
- Fixed some functionalities that did not return valid JSON output:
- Get-UalGraph
- Get-ADAuditLogs
- Removed incorrect parameter in the Azure Audit Logs documentation.
- Removed incorrect example for the Get-Session functionality.
- Added Microsoft-Analyzer-Suite by evild3ad to the readme.
- Added a try/catch loop for Get-ActivityLogs as requested by angry-bender.
- Fixed a bug in the Get-Sessions and Get-MessageIDs functionalities not correctly filtering.
- Added an extra output to the Get-MFA functionality, now writing two CSV files with user registration details and authentication methods utilized in the environment.
- Removed duplicate tempaccess/temporaryAccessPass in Get-MFA.
- Accepted Pull Request from angry-bender fixing some date format issues with the Graph Sign-in functionality.
Introduced a merge output flag for Azure AD Graph logs and AD logs
- Merge Output Option: Introduced a merge output flag for Azure AD Graph logs and AD logs.
- File Naming Correction: Corrected an issue where the .json extension was missing from the filename for AD sign-in logs, ensuring files are correctly recognized and processed by tools expecting JSON format.
- Option Renaming: The MergecsvOutput option has been renamed to MergeOutput to better reflect its functionality and to accommodate both CSV and JSON file formats.
- Fixed bug with wrong version number in the version check.
Fixed a bug in the Get-UalGraph function that caused an error during output writing
Fixed a bug in the Get-UalGraph function that caused an error during output writing. Additionally, accepted a pull request from Angry-Bender that resolves potential out-of-memory issues in Get-AzureADLogs by writing the output to separate files for each day.